A well-written MMS virus could saturate an entire population of cell phones …

Share this story

Events like the spread of the Conficker worm illustrate the risks posed by the combination of a sophisticated operating system and an always-on Internet connection. With the expanding popularity of smartphones, which come with multitasking operating systems and convenient software development kits, the same risk may definitely apply. But, despite the fact that exploit code has been around for several years, nothing on the scale of Conficker has ever struck the cellphone world. A study that will be released online in Science Express looks into why this might be the case, and concludes that a major contributor is the lack of an operating system monoculture in the cellphone world.

The authors say that the customized combinations of hardware and software that characterized early cellphones left little for a virus writer to target, but the rise of smartphones is changing matters rapidly. Since 2004, there have apparently been over 400 phone-specific viruses, and the authors say that many of these show a level of sophistication that indicates their authors have been following developments in the PC world (or, potentially, the authors are one and the same). Some of these viruses were even able to spread by both Bluetooth and MMS services.

So why haven't we been greeted with news reports of phone viruses run amuck? To look into the answer, the authors modeled the spread of viruses using real-world data on the connectivity of a cellphone network. For reasons that aren't clearly spelled out, they obtained a month of anonymized cellphone usage data from a carrier, which included the timing and location of every connection made by over six million users through over 10,000 cell towers. Based on that data set, they could infer both the connectivity among the nodes (phones) on the network, as well as their physical proximity. Given that data, they could run standard epidemiological models of infection spreads (one of the authors is based at a medical school) and see how different assumptions change the spread of the virtual infection.

The authors modeled two modes of infection. For bluetooth, the density of phones within a given tower's range was used to approximate the number of phones that wound up within bluetooth range, and thus would be targeted for infection. For spread via MMS, the number of calls placed among the company's customers was used to approximate whether a given user was likely to have another in their address book, which would be used to target them for MMS infection; attempts to spread would be made every two minutes. The authors assumed an effective virus that didn't require any actions on the recipient's part to infect their phone.

In both cases, the authors found what they termed a "percolation phase," in which the virus built to a critical mass that allowed its rapid propagation. The requirement for physical proximity slowed Bluetooth viruses down significantly, as these infections typically required several days to reach saturation. The authors suggested that this might be sufficiently slow to allow an antidote to be rolled out by the service provider. For viruses spread by MMS, that would be a luxury, as they reach saturation within a few hours.

The primary limit for the MMS viruses is network fragmentation—at least some collections of users are unlikely to be plugged into the wider user network, and thus the virus is unlikely to ever reach these isolated clusters of users. Hybrid viruses, also tested by the authors, eventually found their way in to these isolated clusters, though.

A key factor that moderated all of these behaviors, however, was the market penetration of the operating system involved. The researchers considered both the relatively low market share of smartphones in general (about five percent) and the fact that different operating systems have different slices of that pie, with Symbian being relatively common, and the Palm OS being quite rare. Factoring this in showed that the OS marketshare affected both the length of the percolation period (longer for the less popular ones) and the degree of network fragmentation—the less common the OS, the more common isolated clusters of users would be.

So far, competition within the smartphone space has remained fierce. If anything, Symbian users are being made safer by the arrival of new competitors on the scene, as its prevalence, and thus its risk, is dropping. At the same time, however, smartphones are becoming far more popular, which will exacerbate everyone's chances of getting their phone infected.

Again, all of this was done with the assumption that infections would be successful. For the most part, it appears that smartphone OS developers have the same advantage virus writers do: they're well aware of the sorts of vulnerabilities that have plagued the desktop world, and are placing far more restrictions on the code that runs on these devices.